For anyone who doesn’t subscribe to the security list (you should!)
https://groups.google.com/forum/#!msg/rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ
You may want to note that an earlier advisory made out that only apps using *action in their routes were affected, but this turned out not to be true
Fred